Hacktivists Rely On Basic Attack Techniques To Get Out Their Message

Hacktivist groups hell-bent on conducting widespread attacks against banks, government agencies and other businesses often use basic hacking techniques to carry out their campaigns. But when these hacktivists are successful, they can cause serious damage.

That was the finding of an analysis of recent hacktivist campaigns conducted by Omaha, Neb.-based Solutionary, a managed security services provider. In its third-quarter threat report issued this week, Solutionary reviewed attacks carried out by the OpIsraelReborn campaign against Israel-based organizations and the Operation Ababil attacks carried out against U.S. financial institutions. The hacktivist attack techniques often have similar characteristics to campaigns carried out by other groups, including high-profile attacks conducted by the Syrian Electronic Army, said Rob Kraus, director of research at Solutionary.

"There are subtle differences in attack vectors depending on their goals," Kraus told CRN. "In some ways it doesn't make a difference because the targeted organization did something bad securitywise and ultimately the hacktivist group got their message across."

The OpIsraelReborn campaign, carried out by anonymous group of attackers, defaced hundreds of Israeli websites, primarily through targeting SQL injection and cross-site scripting vulnerabilities in websites to take control over the underlying Web application server, Kraus said. Meanwhile, Operation Ababil, carried out by a group calling itself the Qassam Cyber Fighters, has been conducting campaigns for about a year. The group uses distributed denial-of-service attacks (DDoS) to cripple and ultimately take down banking websites. The group also has targeted ISPs and telecommunications providers.

A growing botnet called Brobot increases the threat of additional attacks, according to Solutionary. Brobot and other botnets can be rented out to help strengthen attacks.

"There's easy availability for many of these groups to rent out DDoS botnets to bring down a site for three to four hours," Kraus said. "If a site is not prepared, the return on investment [for these groups] is huge."

DNS registry tampering is another tool increasingly being used against companies that haven't taken measures to lock down their DNS server, often maintained by a DNS registry provider. The longstanding threat involves tampering with the DNS records, pointing visitors to a rogue server containing a malicious website. The most recent DNS hijacking attack was against security firm Rapid7 and the website hosting the Metasploit penetration tool.

A pro-Palestinian hacktivist group called KDMS claimed responsibility for the attacks, which used social engineering to gain the account credentials necessary to make DNS registry changes, Rapid7 said. The group also is believed to be responsible for DDoS attacks against registrars and is believed to be behind a 38-hour campaign against Network Solutions, which resulted in an outage.

Kraus said basic security measures should help mitigate the threat posed by all of the hacktivist attacks. Website scanning can identify vulnerabilities that can be targeted by automated attack tools used by hacktivists to deface websites. A Web application firewall also can prevent attacks and help address vulnerabilities through virtual patching.

Kraus said organizations should assess their current infrastructure for ways to thwart attacks. For example, DDoS protection often can be implemented in next-generation firewalls and other security appliances, but the protection is not turned on by default, he said. Early detection of DDoS attacks is important in filtering out bad traffic to contain the attack. Other measures include working with the business' ISP to provide upstream filtering to reduce the strength of ongoing attacks.

"Many organizations will implement advanced next-generation firewalls, but they don't often realize that many of those advanced firewalls have DDoS modules and mitigation capabilities built in," Kraus said. "Just because a switch on your firewall turns on DDoS protection doesn’t mean that it is going to thwart every single DDoS attack."

XChange Solution Provider 2015 is finally upon us and the timing couldn't be better. The premier channel event is happening March 1-3 in Dallas, bringing together 225 solution provider decision makers from across North America. CRN is at the event to provide news, analysis and a firsthand take from partners.